Quick segue here, but this story is too good. In 1942, Die Grosse Liebe came out, Goebbel’s Magnum Opus other than Triumph of the Will. The Nazi propaganda minister was really into this movie and wanted it to be a huge success swaying the emotions of the German people back to believe in winning the […]

Hello! One of my favourite things is starting to learn an Old Boring Technology that I’ve never tried before but that has been around for 20+ years. It feels really good when every problem I’m ever going to have has been solved already 1000 times and I can just get stuff done easily.

I’ve thought it would be cool to learn a popular web framework like Rails or Django or Laravel for a long time, but I’d never really managed to make it happen. But I started learning Django to make a website a few months back, I’ve been liking it so far, and here are a few quick notes!

less magic than Rails

I spent some time trying to learn Rails in 2020, and while it was cool and I really wanted to like Rails (the Ruby community is great!), I found that if I left my Rails project alone for months, when I came back to it it was hard for me to remember how to get anything done because (for example) if it says resources :topics in your routes.rb, on its own that doesn’t tell you where the topics routes are configured, you need to remember or look up the convention.

Being able to abandon a project for months or years and then come back to it is really important to me (that’s how all my projects work!), and Django feels easier to me because things are more explicit.

In my small Django project it feels like I just have 5 main files (other than the settings files): urls.py, models.py, views.py, admin.py, and tests.py, and if I want to know where something else is (like an HTML template) is then it’s usually explicitly referenced from one of those files.

a built-in admin

For this project I wanted to have an admin interface to manually edit or view some of the data in the database. Django has a really nice built-in admin interface, and I can customize it with just a little bit of code.

For example, here’s part of one of my admin classes, which sets up which fields to display in the “list” view, which field to search on, and how to order them by default.

@admin.register(Zine)
class ZineAdmin(admin.ModelAdmin):
    list_display = ["name", "publication_date", "free", "slug", "image_preview"]
    search_fields = ["name", "slug"]
    readonly_fields = ["image_preview"]
    ordering = ["-publication_date"]

it’s fun to have an ORM

In the past my attitude has been “ORMs? Who needs them? I can just write my own SQL queries!”. I’ve been enjoying Django’s ORM so far though, and I think it’s cool how Django uses __ to represent a JOIN, like this:

Zine.objects
    .exclude(product__order__email_hash=email_hash)

This query involves 5 tables: zines, zine_products, products, order_products, and orders. To make this work I just had to tell Django that there’s a ManyToManyField relating “orders” and “products”, and another ManyToManyField relating “zines”, and “products”, so that it knows how to connect zines, orders, products.

I definitely could write that query, but writing product__order__email_hash is a lot less typing, it feels a lot easier to read, and honestly I think it would take me a little while to figure out how to construct the query (which needs to do a few other things than just those joins).

I have zero concern about the performance of my ORM-generated queries so I’m pretty excited about ORMs for now, though I’m sure I’ll find things to be frustrated with eventually.

automatic migrations!

The other great thing about the ORM is migrations!

If I add, delete, or change a field in models.py, Django will automatically generate a migration script like migrations/0006_delete_imageblob.py.

I assume that I could edit those scripts if I wanted, but so far I’ve just been running the generated scripts with no change and it’s been going great. It really feels like magic.

I’m realizing that being able to do migrations easily is important for me right now because I’m changing my data model fairly often as I figure out how I want it to work.

I like the docs

I had a bad habit of never reading the documentation but I’ve been really enjoying the parts of Django’s docs that I’ve read so far. This isn’t by accident: Jacob Kaplan-Moss has a talk from PyCon 2011 on Django’s documentation culture.

For example the intro to models lists the most important common fields you might want to set when using the ORM.

using sqlite

After having a bad experience trying to operate Postgres and not being able to understand what was going on, I decided to run all of my small websites with SQLite instead. It’s been going way better, and I love being able to backup by just doing a VACUUM INTO and then copying the resulting single file.

I’ve been following these instructions for using SQLite with Django in production.

I think it should be fine because I’m expecting the site to have a few hundred writes per day at most, much less than Mess with DNS which has a lot more of writes and has been working well (though the writes are split across 3 different SQLite databases).

built in email (and more)

Django seems to be very “batteries-included”, which I love – if I want CSRF protection, or a Content-Security-Policy, or I want to send email, it’s all in there!

For example, I wanted to save the emails Django sends to a file in dev mode (so that it didn’t send real email to real people), which was just a little bit of configuration.

I just put this settings/dev.py:

EMAIL_BACKEND = "django.core.mail.backends.filebased.EmailBackend"
EMAIL_FILE_PATH = BASE_DIR / "emails"

and then set up the production email like this in settings/production.py

EMAIL_BACKEND = "django.core.mail.backends.smtp.EmailBackend"
EMAIL_HOST = "smtp.whatever.com"
EMAIL_PORT = 587
EMAIL_USE_TLS = True
EMAIL_HOST_USER = "xxxx"
EMAIL_HOST_PASSWORD = os.getenv('EMAIL_API_KEY')

That made me feel like if I want some other basic website feature, there’s likely to be an easy way to do it built into Django already.

the settings file still feels like a lot

I’m still a bit intimidated by the settings.py file: Django’s settings system works by setting a bunch of global variables in a file, and I feel a bit stressed about… what if I make a typo in the name of one of those variables? How will I know? What if I type WSGI_APPLICATOIN = "config.wsgi.application" instead of WSGI_APPLICATION?

I guess I’ve gotten used to having a Python language server tell me when I’ve made a typo and so now it feels a bit disorienting when I can’t rely on the language server support.

that’s all for now!

I haven’t really successfully used an actual web framework for a project before (right now almost all of my websites are either a single Go binary or static sites), so I’m interested in seeing how it goes!

There’s still lots for me to learn about, I still haven’t really gotten into Django’s form validation tooling or authentication systems.

Thanks to Marco Rogers for convincing me to give ORMs a chance.

(we’re still experimenting with the comments-on-Mastodon system! Here are the comments on Mastodon! tell me your favourite Django feature!)

In 2025, I invested as an angel through the Ada Angels program, backing pre-seed companies in Denmark aligned with Ada Ventures’ thesis on healthy aging, climate equity, and economic empowerment.  Portfolio Companies Healper 🌐https://healper.dkMarketplace connecting psychologists/therapists to patients. Sourced through another angel in the Ada program. Why I invested: This was my first deal under […]

Twitter's descent into a gutter of the lowest order has been wrenching:

Elon Musk’s Grok and the Mass Undressing Scandal

As I draft this, a week later, it appears pressure from civil society, investigations by regulators, and outright bans on multiple continents have forced Musk to back down to an uncertain degree.

As this scandal roiled, Twitter's apps have been continuously available in Google's Play and Apple's App Store, marking new lows in moral cowardice and non-enforcement of the duopolist's own policies.

Now we sit on tenterhooks, wondering if the worst has actually passed. What outrage the will the valley's billionaire man-children unleash next? Meanwhile, we brace for this episode to embolden censorious authoritarians keen to suppress a free press and legitimate speech they dislike.

This is the backdrop to Elizabeth Lopatto's must-read denunciation in The Verge:

It is genuinely unbelievable to me that I wasted hours of my actual life on a court case where Apple explained it needed total control of its App Store to protect its users. Total control of the App Store was Apple’s main argument against antitrust enforcement: The company insisted that its monopolistic control of what users could install on their phones was essential to create a walled garden where it could protect children from unsafe content.

Ha! Ha ha ha!!

— Elizabeth Lopatto,
"Tim Cook and Sundar Pichai are cowards, The Verge"

Failure to react to the “everything app” going all-in on abuse of women and girls for weeks reveals the illegitimacy of their mobile monopolies¹; anyone pretending otherwise is a fool or a dupe.

We don't need to guess why they sat on their hands.

Acting against Musk's abusive apps might put Apple and Google out of favour with an erratic, power-tripping administration which in turn could impact short-term business prospects. Their stated principles are incompatible with maximizing shareholder value under competitive authoritarianism.

Recall that both firms lent their monopolies on software distribution to ICE, citing the implausible claim that federal agents are a “vulnerable group.” The undressing scandal is the same choice in relief.

Facilitating the unthinkable at the behest of administration allies pays homage to power through obscenity. If they offend Musk…who knows what could happen? So maybe let it play out; let others take the heat. Surely somebody will do something. The internal monologue of the quisling scarcely needs exposition.

And so abuse at scale was amplified through their channels, against their own policies, for weeks.

Vertigo

The duopolist's justifications for monarchical app stores have always been bullshit, top to bottom, stem to stern.

App stores are not sui generis; they're just programs that install other programs, and "apps" are whatever the OS says they are.

As Cory Doctorow observed:

Apps interact with law in precisely the way that web-pages don't. “An app is just a web-page wrapped in enough IP to make it a crime to defend yourself against corporate predation”

It sure looks like Apple and Google failed to protect women and girls in order to preserve the rents they extract from the ecosystems these IP wrappers give them control over.

Gatekeepers like to point out that the wrapper comes with treats — business-critical capabilities and services that OS vendors lock behind proprietary APIs — but this is misdirection.

Web apps could provide safe, privacy-enhancing versions of every capability they currently reserve to native apps, and the duopolists know it. In an earlier era, open platforms chewed up proprietary features and spat out interoperable standards to cover the most useful 80% of that ground safely. Along the way, they published under open licences, dropping the price of commodity features to near-zero. This reduced lock-in for both developers and users which, in turn, forced incumbents to innovate.

Today's gatekeepers are desperate to keep that from happening again. It would upset the entire rentier model.

That's why Apple has worked furiously to keep APIs away from browsers through legal wrangling and subversion of standards. Cryptography and lawyers have also been enlisted to keep other programs-that-install-programs out and a safe, powerful open web at bay. Without those shields, we'd see the deeper failures clearly.

Consider the justifications Apple and its merry band of astroturfers trot out like clockwork to delay browser choice. Cupertino argues it must exclusively control browsers and software distribution to:

• Ensure device security
• Prevent frauds and scams
• Provide a bulwark for privacy
• Simplify software acquisition and distribution
• Keep a lid on the most objectionable content

Now we see clearly that protection on the last point comes not from the stores, but from civil society and governments. This provides a template: each justification is an admission; misdirection to cover culpability.

Let's take it from the top.

The Security Argument

Stores don't ensure security, runtimes do.

Operating systems and browsers — the platforms that sandbox code and mediate permissions — protect users to the extent they're designed to; app stores are just overwrought “beware of dog“ signs meant to scare off easily intimidated ne'er-do-wells. It's no surprise that whenever app stores are trusted with the role, a trail of harrowing failure follows.

This unearths the lie behind the obfuscation: iOS and Android didn't create stores to deliver unheard of security — iOS 1.0 did that by forbidding unsafe native code, replacing it with a better web² — the gatekeepers built app stores because their OSes were and are insecure platforms for native apps. When mobile apps were web apps, the presumption of safety reigned. Alas.

Retreating from safety dovetailed with retreats from safe, open, interoperable computing in other ways. It's no coincidence that Apple backed away from adding capabilities to the web at the same moment it realised it could tax native apps extortionately.

App stores are Marketing's answer to a brand-promise problem: what to do about a hole below the water line that Product and Engineering aren't just failing to patch, but are enthusiastically expanding instead?

The whole facade of the duopolist's power hinges on the false claim that stores create security. Without the need to paper over the disaster of carelessly dispensed power tools, none of the rest of the services the stores provide could be justified; certainly not at the ruinous prices they demand.

More recent, chest-thumping pronouncements need to be evaluated in the same light. These aren't heroic explorers of new frontiers, they're embarrassed students bluffing book reports for tomes they didn't read.

Instead of protecting us, app stores reward platform vendors for security failure and foster centralising, anti-Open Source ecosystems. Open societies cannot abide closed platforms that assert ownership of this much of our lives, particularly not when claims of security are based on misrepresentations.

Frauds and Scams

In the narrow conception, the app stores are feckless. Taking a wider view, they're complicit. Enabling, even.

Under a strict definition of “fraud," the track record of app stores is abysmal. Take just one recent example: while loudly proclaiming to protect users from scams, Apple simultaneously facilitated wide-scale app impersonation at the launch of Sora. This failure isn't a one-off, either. Bald-faced imposters are a long-running problem for stores that pretend to both users and developers that they protect from exactly these sorts of scams.

For its part, Google routinely facilitates shocking amounts of ad fraud via Play. Stores also failed to catch clearly fraudulent fronts for sanctioned Russian banks. This is just the tip of the proverbial iceberg.

If we widen the aperture to let in adjacent classes of user abuse, the situation looks immeasurably worse.

Apple's policies purport to disallow use of the ultra-low-friction IAP systems for gambling:

5.3.3 Apps may not use in-app purchase to purchase credit or currency for use in conjunction with real money gaming of any kind.

This text is lawyered to sound like a curb on gambling addiction's worst effects. In reality, it's designed to facilitate the predatory “gambling lite” systems Apple and Google gleefully fostered.

For most of the mobile duopoly's existence, the primary revenue driver has been the problematic, gambling-adjacent behaviour of “digital whales” in so-called “casual games.”

And don't imagine the wilfully predatory behaviour is limited to adults. By allowing “bait apps” — even after previous FTC settlements that should have forbidden them — the app stores have shown us the duopolist's true colours. Serial disregard for the financial health of users is literally baked into their model.

This is the rotten core of mobile app stores. Understood in POSIWID terms, they exist to tax casinos that exploit gambling addictions of vulnerable users.

Privacy

App stores safeguard privacy the way packs of wolves safeguard flocks of sheep.

The only appropriate response to the two-faced, duplicitous claims by Apple and Google towards privacy in recent years is incandescent rage.

I've covered before how Apple's posturing against Facebook is nothing but kayfabe and how Cupertino's privacy arguments regarding alternative browsers are steaming piles of illogical nonsense.

In reality, our privacy problems have been multiplied by Apple and Google.

It was the duopolists that created APIs for persistent background access to your contacts, calendar, location, radios, battery levels, and much else besides. It was the duopolists that then turned around and claimed credit for incrementally curbing the worst abuses of the APIs they themselves handed out like candy. Remember, they added these easily-tracked features knowing full well they would be abused.

How do we know they knew better? Both exposed shocking amounts of information about users to all comers after building browsers that protected from these very risks. Both had past form building web APIs that expanded platform power more thoughtfully. Caution was thrown to the wind by the very folks that now demand credit for remediating tiny patches of the superfund sites they created.

It was the duopolists who handed those APIs to native apps from shady publishers like Facebook with less-than-thoughtful controls. And it was these very companies that failed to police even their mildest policies.

And these same trillion-dollar market-cap firms simultaneously declined to do the one thing that had a chance to dramatically improve privacy: using their incredible lobbying capacity to forcefully call for privacy regulations worth a damn. Instead, they prefer a market structure where they can posture against each other over problems they jointly exacerbate.

And they have got away with it. Their press and product shops are keenly aware reporters don't understand privacy deeply enough to call their bluff, and that so-called privacy experts will clap as loudly for symbolic gestures as for fundamental change.

Humiliatingly for the fourth estate, Cupertino and Mountain View's self-issued privacy participation prizes were never questioned. Indeed, credulous journalists continue to shower them with praise for steps away from the very worst excesses best measured in angstroms.

Recently, Apple have been allowed to take credit for foisting responsibility onto users while Google has faced no sustained questioning for just giving up, having never launched anything at all to structurally curb Android abuses.

Cynics might be inclined to think this was very much the point.

POSIWID shows that monopolies on apps-that-install-apps exist to squash competition, not to preserve privacy. Apple's not trying to keep alternative browsers off of iOS because browsers track users, they're keeping better browsers out because they could provide an alternative that doesn't.

Software acquisition and distribution

You know what the easiest way to get an app is? Clicking a link.

Apple literally pioneered this model with iOS 1.0, only to walk away from it a year later when it chose to carelessly expose overpowered, unsafe-by-default APIs with the hurried introduction of native apps. Throwing away privacy and security made software harder to build and distribute, too, but deposited power over developers with OS gatekeepers. Over time, the power to tax those developers became addictive.

A more secure and privacy preserving model is still possible but the duopolists continue to suppress it. I can't speak out of school about all the ways Android and Play mirrored Apple's underhanded tactics to suppress PWAs, but suffice to say it was a lot.

Industrial-scale suppression of safe, privacy-respecting platforms has been packaged up in florid terms as an advantage for developers. Except developers hate mobile app stores. But you don't have to take my word for it.

Given the choice, developers would do exactly what the gatekeepers do when constructing billing, distribution, and marketing systems: shop around in an open market, based on standards-oriented technologies, and select the best fit for their needs.

This is exactly the model that gave rise to the web and to web search. Discovery for web apps isn't impossible without omnipotent app stores; it isn't even hard. If we can build search engines for web pages, we can also highlight sites that are installable. None of this is magic, and none of it requires a 30% take from the developer's budget.

Content Moderation

For the sake of completeness, we should stipulate that an end to app stores would not meaningfully change the content moderation landscape.

We now have a powerful example of this counterfactual thanks to the Twitter/Grok episode. There is no safety to be lost when we replace the gatekeeper's stores with a powerful, open, interoperable web. Mobile app store proprietors stand for nothing but profit and can be counted on only to defend their take. Good riddance.

The Rot of “Who Should Rule?”

Before the 2024 US elections, tech titans were well-enough advised to know which way the winds were blowing. But that did not stir them to defend truth, the rule-of-law, or even the employees that enabled their success. Instead, they hurried to capitulate. Today they sponsor coup-excusers pay vigs, grovel to people they surely loathe, and fund the literal destruction of America's institutions.

This month's failure to stand up for basic decency is just another link in that chain.

Having narrowed the running to two choices, mobile's masters always ask us to consider governing our phones through the authoritarian frame of "who should rule?"

But these aren't our only choices. As Popper retorts, the better question is "How can we so organize political institutions that bad or incompetent rulers can be prevented from doing too much damage?"

This isn't purely a political question, but applies to all of society's power structures. The callous indifference of the app store's billionaire managers (1, 2) when faced with an even moderately difficult call tells us that they cannot be trusted; this was the test, and the mobile overlords failed by their own terms.³

What's left for the rest of us to take on is how we dismantle the mechanisms our misplaced trust helped them build. This will not be easy, and an insightful commenter at The Verge restates the core problem:

This is true and fantastic reporting and why we need to pay for The Verge.

But, it begs the question, what do we do?

Do we opt out of the tech of the modern world to protest? Commitment to values isn’t what we talk about, it’s what we are willing to give up. A key problem is that we don’t have any real competition vs Apple or Google as platforms if we want to exist in the modern world or even have this conversation.

You can’t (easily) read this or participate from a Kobo or Lightphone. Anyone have any suggestions?

I dropped off Twitter and Meta, but I’m running out of options.

— Anonymous commenter,
"Tim Cook and Sundar Pichai are cowards, The Verge, Comments"

We aren't going to get anywhere by throwing our iPhones and Androids into the sea.

Credible, incremental steps that remove power from the gatekeepers are now demanded, and as I have previewed throughout this piece, the open web is that next step. It has all the properties we need to attenuate misgiven power: no single vendor control, based in standards, multiple OSS implementations, and most of all, portability.

The web is an abstraction that holds the power to liberate our computing in-situ, removing superfluous gatekeepers from the loop an increasing fraction of the time. As use of the web grows, so do the prospects for alternatives OSes and hardware ecosystems. They know this, and that's why they're trying to keep the web from winning.

Moving our computing to browsers and web apps won't protect us from Musk, but neither will Apple or Google.⁴ Now that we know that, we can at least start to claw back at the corrosive power of monopolists in our pockets by building for a future that doesn't depend exclusively on them.

FOOTNOTES

1. Some folks like to continue to pretend that the mobile duopoly still includes any serious competition for either player. I assume those people are paid to review phones for a living.

   As I outlined in this year's instalment of the Performance Inequality Gap series, the mobile market is actually two distinct markets: iOS for the rich, and Android for the rest. The average price for iPhones is hovering nearly $1K, while the average Android costs $300 new, unlocked. There is no functional competition between these ecosystems, and though they'll never admit it, that's a situation the duopolists are more than comfortable in, even if they don't particularly love it. ⇐

2. ChromeOS introduced the same safe-by-default model to desktop computing several years later. In both cases it was necessary to aggressively expand the web platform's capabilities to support the sorts of applications that users and developers needed, and in both cases that effort was successful. But both Apple (and to a lesser extent, Google) backed away from that strategy when it became clear that fundamentally unsafe, wickedly overpowered platforms were a hit with developers of viral apps. What followed has been 15+ years of papering over the inherent flaws in the model and shifting blame for the mobile platform maker's own predictable (and predicted) failure to keep users safe. ⇐

3. If it always falls to civil society and regulators to protect women and girls from Elon Musk and his Trumpian alliance, what is the point of Tim and Sundar? Of Play and the App Store?

   And if their policies are just fig leaves to justify rent extraction, why should any regulator listen to anything they say?

   These questions should be hair-on-fire in the capitols of still-functioning democracies. ⇐

4. It is not the most offensive thing about this episode by a country mile, but I am driven to distraction by how unbelievably stupid Apple and Google have become.

   Did Tim and Sundar really think that, having sniffed weakness once, Trumpist shake downs would pass them over the next time a pro quo could be extracted for the quid?

   Did they not understand that by participating in oligarchy they signed on to authoritarianism?

   Did they really fail to calculate that capitulation didn't lower their risks, only centralised them?

   This was all predictable. You don't have to look as far as Russia to understand that autocrats grant temporary loans of state power towards undemocratic ends to create leverage for themselves, not the borrower. And whatever the price, autocrats never stay bought.

   Everyone but the smartest people in the room knew that domination is a ladder, and now we're all paying the price. ⇐

It wasn’t until the end of our chat that I learned her name.